The basic password is the single biggest hole in network computing. Most network breaches are the result of hackers cracking simple passwords. Growing security concerns have enterprise network administrators searching for stronger authentication than simple alphanumeric passwords. Smart card technology--credit card-like cards that hold simple circuitry that can be used to validate the authenticity of an employee wishing to enter a network--are now being marketed not just to the government and financial industry but to the enterprise as well.

Many security experts believe the technology is solid and mature enough to improve security. But one small glitch for this new industry remains--a lack of interoperability among disparate products.

Along with smart card integration into the enterprise comes the promise of implementing the single sign-on capability, or allowing individuals to log onto a company system one time rather than having to deal with multiple passwords for different applications. Without two-factor authentication, IT directors see single sign-on as too risky.

Significant industry events may help usher in a smart card era. For example, Microsoft, which previously included support for smart card and public key infrastructure (PKI) in Windows 2000, recently added stronger smart card capabilities aimed at systems administrators to Windows XP. Computer makers, including including Compaq, are beginning to ship smart card readers as an option with their systems.

A smart card is a credit card-sized electronic device that contains electronic memory and may include an embedded integrated circuit. There are three types of smart cards:

Memory card. The memory card is the oldest and currently the most widely used type of smart card. These cards are also known as stored value cards and hold memory only. A phone card is an example of a memory card. (These are not used for computer security.)

Microprocessor card.The chip on the microprocessor card provides access to the card's memory and offers other security features such as a PIN. These chips, like other computers, include RAM, ROM, and EEPROM. They typically have 32 kilobytes of memory and an 8- or 16-bit processor. The cards can store and run applications, such as for procuring company supplies. The cards are particularly well suited where strong authorization is needed to guard access to sensitive company data, in HR and legal departments, for example.

Cryptographic card. This sophisticated microprocessor card also performs cryptographic operations or for corporations requiring digital signatures. The card includes private key capabilities and allows for storage of the cryptographic features taking place on the card itself.

A smart card implementation includes software at the back end of the network. The software performs key management and card verification. Software is also installed on PCs, which are equipped with card readers. The back-end software doesn't limit how many employees can be given smart cards. According to vendors and systems integrators, smart card technology costs between $50 and $150 per user for a typical enterprise installation, which includes the software, smart cards, and readers. The readers both write to the cards and read them.

IT administrators are most interested in using smart cards to consolidate multiple applications, such as PKI credential storage, user authentication, building access, and as a corporate ID badge.

"If you look at all the authentication a company has (to manage)--a picture ID card, PKI certificate, remote access token, and any number of static passwords--each credential has a system, a budget, and a resource," says Rod Stuhlmuller, vice president of corporate marketing for ActivCard. "Now you have the capability to consolidate all this."

Where the technology falls short, however, is its inability to be easily folded into an enterprise system. Systems integrator Charles Walton, president of Massachusetts-based Caradas, says that before smart card technology can take off, vendors must provide a set of how-to tools that will help enterprises walk through the integration. In the meantime, experts say a significant amount of systems integration work is required to install smart card systems.

Others close to the industry also testify that the lack of interoperability among smart cards, software, and readers continues to be the burgeoning technology's biggest challenge. The most prominent smart card standard is ISO 7816, which outlines the physical characteristics of smart cards including flexibility, temperature resistance, chip location, and dimensions.

While vendors claim compliance with ISO 7816, "Products still are not working right off the shelf with other smart card products…such as a Gemplus card and a Schlumberger reader," says Donna Farmer, president and CEO of the Smart Card Alliance, whose 185 members include financial companies and technology providers. One ongoing debate--where information should be stored on a smart card--needs to be resolved to eliminate compatibility problems.

This is why Walton advises enterprises to wait about one year before implementing smart card projects. When IT managers see systems that work out of the box, guaranteeing minimal setup, they'll know the technology is ready.

ActivCard, which focuses solely on smart card software, is widely viewed as a significant authentication player. The U.S. Department of Defense plans to issue 4.3 million cards using the ActivCard Smart Card and Digital Identity Provisioning System. These cards have 32-bit processors with 32K of memory.

The DOD has installed ActivCard software on its back-end system, or issuance station, which controls the key management of the cards. The DOD also installed ActivCard software on the PCs that will talk to the cards. The cards themselves include three applets: the identification, or PIN management; the generic container, or the security space on the card that stores information such as medical and payroll records; and the PKI, or the keys used for authentication, digital signatures, and encryption. These applets all run on a Java card sold by a separate vendor such as Gemplus. Other companies using the ActivCard system to deploy employee badges include Sun and Hewlett-Packard.

Recently, ActivCard teamed with digital certificate manufacturer VeriSign to combine digital certificate features with smart card technology. ActivCard will integrate its smart card and digital identity functionality with VeriSign's Managed PKI Service.

ActivCard's top rival, RSA Security, which leads the market in authentication technology such as tokens, recently acquired 3-G International (3GI). Because of this purchase, RSA now offers a smart card multi-application product called SecureID Passage. The software boasts features such as screen saver security, so that when a user takes out his card and walks away, the system locks up.

RSA hopes that its huge installed base of enterprise authentication customers will give it an advantage over smart card competitors. The company claims to have seen a surge in smart card activity from enterprise companies over the last six to nine months. Officials said revenues from smart card sales have doubled over the last year, and interest in smart card demos has increased tenfold in the same period.

Smart card and reader hardware players include Gemplus and Schlumberger. These archrivals are now building their smart cards on the Java-based platform and see a business opportunity in offering software based on a standard platform in order to be compatible with all Java-based platforms. SchlumbergerSema, a division of Schlumberger Ltd., provides Java-based smart cards and readers. Flagship products include SchlumbergerSema Reflex readers and Cyberflex Access smart cards. ActivCard typically provides the software for SchlumbergerSema's smart card deployments for enterprise customers.

Other than integration difficulties, most smart card analysts agree that the technology is very sophisticated and is an effective defense against the current threats to corporate networks, including the disgruntled employee.

Once integration of smart card technology is simplified, Walton advises IT managers to look at the technology from a cost-reduction perspective to solve one problem at a time. "In the enterprise, smart cards become the device you use to eliminate the password log-in. That user no longer needs to deal with multiple log-ins," says Caradas' Walton, "and you start creating an environment where your ability to digitally sign forms is now possible."

Walton recalls one IT director of a multinational bank who claimed a significant portion of his security budget, more than $10 million, was eaten up by password resets alone.

While no technology is hacker-proof--although some vendors claim sophisticated smart cards are--smart cards appear to be today's best bet for increased security, lower administrative costs, and a simpler interface for the end user.